[转]Setting Keystone v3 domains
http://www.florentflament.com/blog/setting-keystone-v3-domains.html
The Openstack Identity v3 API, provided by Keystone, offers features that were lacking in the previous version. Among these features, it introduces the concept of domains, allowing isolation of projects and users. For instance, an administrator allowed to create projects and users in a given domain, may not have any right in another one. While these features look very exciting, some configuration needs to be done to have a working identity v3 service with domains properly set.
Keystone API protection section of the developer's doc provides hints about how to set-up a multi-domain installation. Starting from there, I describe the full steps to have a multi-domain setup running, by using curl
to send http requests and jq
to parse the json answers.
Setting an admin domain and a cloud admin
First, we have to start on a fresh non multi-domain installation with the default policy file.
With the
admin
user we can create theadmin_domain
.ADMIN_TOKEN=$(\
curl http://localhost:5000/v3/auth/tokens \
-s \
-i \
-H "Content-Type: application/json" \
-d '
{
"auth": {
"identity": {
"methods": [
"password"
],
"password": {
"user": {
"domain": {
"name": "Default"
},
"name": "admin",
"password": "password"
}
}
},
"scope": {
"project": {
"domain": {
"name": "Default"
},
"name": "admin"
}
}
}
}' | grep ^X-Subject-Token: | awk '{print $2}' ) ID_ADMIN_DOMAIN=$(\
curl http://localhost:5000/v3/domains \
-s \
-H "X-Auth-Token: $ADMIN_TOKEN" \
-H "Content-Type: application/json" \
-d '
{
"domain": {
"enabled": true,
"name": "admin_domain"
}
}' | jq .domain.id | tr -d '"' ) echo "ID of domain cloud: $ID_ADMIN_DOMAIN"Then we can create our
cloud_admin
user, within theadmin_domain
domain.ID_CLOUD_ADMIN=$(\
curl http://localhost:5000/v3/users \
-s \
-H "X-Auth-Token: $ADMIN_TOKEN" \
-H "Content-Type: application/json" \
-d "
{
\"user\": {
\"description\": \"Cloud administrator\",
\"domain_id\": \"$ID_ADMIN_DOMAIN\",
\"enabled\": true,
\"name\": \"cloud_admin\",
\"password\": \"password\"
}
}" | jq .user.id | tr -d '"' ) echo "ID of user cloud_admin: $ID_CLOUD_ADMIN"And we grant to our user
cloud_admin
theadmin
role on domainadmin_domain
.ADMIN_ROLE_ID=$(\
curl http://localhost:5000/v3/roles?name=admin \
-s \
-H "X-Auth-Token: $ADMIN_TOKEN" \
| jq .roles[0].id | tr -d '"' ) curl -X PUT http://localhost:5000/v3/domains/${ID_ADMIN_DOMAIN}/users/${ID_CLOUD_ADMIN}/roles/${ADMIN_ROLE_ID} \
-s \
-i \
-H "X-Auth-Token: $ADMIN_TOKEN" \
-H "Content-Type: application/json" curl http://localhost:5000/v3/domains/${ID_ADMIN_DOMAIN}/users/${ID_CLOUD_ADMIN}/roles\
-s \
-H "X-Auth-Token: $ADMIN_TOKEN" | jq .rolesOnce the
admin_domain
has been created with itscloud_admin
user, we can enforce a domain based policy. In order to do that, we have to copy the policy.v3cloudsample.json file over our former/etc/keystone/policy.json
, while replacing the stringadmin_domain_id
by the ID of theadmin_domain
we just created. Locate thepolicy.v3cloudsample.json
file into theetc
directory of Keystone's source.sed s/admin_domain_id/${ID_ADMIN_DOMAIN}/ \
< policy.v3cloudsample.json \
> /etc/keystone/policy.json
Warning, current version (commit 19620076f587f925c5d2fa59780c1a80dde15db2) of policy.v3cloudsample.json doesn't allow cloud_admin
to manage users in other domains than its own (see bug 1267187). Until the patch is merged, I suggest using this policy.c3cloudsample.json under review.
Creating domains and admins
From now on, the admin
user can only manage projects and users in the Default
domain. To create other domains we will have to authenticate with the cloud_admin
user created above.
Getting a token scoped on the
admin_domain
, for usercloud_admin
.CLOUD_ADMIN_TOKEN=$(\
curl http://localhost:5000/v3/auth/tokens \
-s \
-i \
-H "Content-Type: application/json" \
-d '
{
"auth": {
"identity": {
"methods": [
"password"
],
"password": {
"user": {
"domain": {
"name": "admin_domain"
},
"name": "cloud_admin",
"password": "password"
}
}
},
"scope": {
"domain": {
"name": "admin_domain"
}
}
}
}' | grep ^X-Subject-Token: | awk '{print $2}' )Creating domains
dom1
anddom2
.ID_DOM1=$(\
curl http://localhost:5000/v3/domains \
-s \
-H "X-Auth-Token: $CLOUD_ADMIN_TOKEN" \
-H "Content-Type: application/json" \
-d '
{
"domain": {
"enabled": true,
"name": "dom1"
}
}' | jq .domain.id | tr -d '"') echo "ID of dom1: $ID_DOM1" ID_DOM2=$(\
curl http://localhost:5000/v3/domains \
-s \
-H "X-Auth-Token: $CLOUD_ADMIN_TOKEN" \
-H "Content-Type: application/json" \
-d '
{
"domain": {
"enabled": true,
"name": "dom2"
}
}' | jq .domain.id | tr -d '"') echo "ID of dom2: $ID_DOM2"Now we will create a user
adm1
in domaindom1
.ID_ADM1=$(\
curl http://localhost:5000/v3/users \
-s \
-H "X-Auth-Token: $CLOUD_ADMIN_TOKEN" \
-H "Content-Type: application/json" \
-d "
{
\"user\": {
\"description\": \"Administrator of domain dom1\",
\"domain_id\": \"$ID_DOM1\",
\"enabled\": true,
\"name\": \"adm1\",
\"password\": \"password\"
}
}" | jq .user.id | tr -d '"') echo "ID of user adm1: $ID_ADM1"We will also grant the
admin
role on domaindom1
to thisadm1
user.curl -X PUT http://localhost:5000/v3/domains/${ID_DOM1}/users/${ID_ADM1}/roles/${ADMIN_ROLE_ID} \
-s \
-i \
-H "X-Auth-Token: $CLOUD_ADMIN_TOKEN" \
-H "Content-Type: application/json" curl http://localhost:5000/v3/domains/${ID_DOM1}/users/${ID_ADM1}/roles \
-s \
-H "X-Auth-Token: $CLOUD_ADMIN_TOKEN" | jq .roles
Creating projects and users
The adm1
user can now fully manage domain dom1
. He is allowed to manage as many projects and users as he wishes within dom1
, while not being able to access resources of domain dom2
.
Now we authenticate as user
adm1
with a scope ondom1
.ADM1_TOKEN=$(\
curl http://localhost:5000/v3/auth/tokens \
-s \
-i \
-H "Content-Type: application/json" \
-d '
{
"auth": {
"identity": {
"methods": [
"password"
],
"password": {
"user": {
"domain": {
"name": "dom1"
},
"name": "adm1",
"password": "password"
}
}
},
"scope": {
"domain": {
"name": "dom1"
}
}
}
}' | grep ^X-Subject-Token: | awk '{print $2}' )We create a project
prj1
in domaindom1
.ID_PRJ1=$(\
curl http://localhost:5000/v3/projects \
-s \
-H "X-Auth-Token: $ADM1_TOKEN" \
-H "Content-Type: application/json" \
-d "
{
\"project\": {
\"enabled\": true,
\"domain_id\": \"$ID_DOM1\",
\"name\": \"prj1\"
}\
}" | jq .project.id | tr -d '"' ) echo "ID of prj1: $ID_PRJ1"When trying and creating a project in domain
dom2
, it fails.curl http://localhost:5000/v3/projects \
-s \
-H "X-Auth-Token: $ADM1_TOKEN" \
-H "Content-Type: application/json" \
-d "
{
\"project\": {
\"enabled\": true,
\"domain_id\": \"$ID_DOM2\",
\"name\": \"prj2\"
}\
}" | jq .Creating a standard user
usr1
in domaindom1
, with default projectprj1
.ID_USR1=$(\
curl http://localhost:5000/v3/users \
-s \
-H "X-Auth-Token: $ADM1_TOKEN" \
-H "Content-Type: application/json" \
-d "
{
\"user\": {
\"default_project_id\": \"$ID_PRJ1\",
\"description\": \"Just a user of dom1\",
\"domain_id\": \"$ID_DOM1\",
\"enabled\": true,
\"name\": \"usr1\",
\"password\": \"password\"
}
}" | jq .user.id | tr -d '"' ) echo "ID of user usr1: $ID_USR1"Granting
Member
role to userusr1
on projectprj1
.MEMBER_ROLE_ID=$(\
curl http://localhost:5000/v3/roles?name=Member \
-s \
-H "X-Auth-Token: $ADM1_TOKEN" \
| jq .roles[0].id | tr -d '"' ) curl -X PUT http://localhost:5000/v3/projects/${ID_PRJ1}/users/${ID_USR1}/roles/${MEMBER_ROLE_ID} \
-s \
-i \
-H "X-Auth-Token: $ADM1_TOKEN" \
-H "Content-Type: application/json" curl http://localhost:5000/v3/projects/${ID_PRJ1}/users/${ID_USR1}/roles \
-s \
-H "X-Auth-Token: $ADM1_TOKEN" | jq .roles
The domain administrator adm1
ended up creating a project prj1
and a user usr1
member of the project. usr1
can now get a token scoped onprj1
and manage resources into this project.
[转]Setting Keystone v3 domains的更多相关文章
- 在Keystone V3基础上改进的分布式认证体系
目标 使用java实现keystone v3相关功能与概念: api client authentication service discovery distributed multi-tenant ...
- OpenStack IdentityService Keystone V3 API Curl实战
v3 API Examples Using Curl <Tokens> 1,Default scope 获取token Get an token with default scope (m ...
- 使用openstackclient调用Keystone v3 API
本文内容属于个人原创,转载务必注明出处: http://www.cnblogs.com/Security-Darren/p/4138945.html 考虑到Keystone社区逐渐弃用第二版身份AP ...
- [转]OpenStack Keystone V3
Keystone V3 Keystone 中主要涉及到如下几个概念:User.Tenant.Role.Token.下面对这几个概念进行简要说明. User:顾名思义就是使用服务的用户,可以是人.服务或 ...
- OpenStack Keystone V3 简介
Keystone V3 简介 Keystone 中主要涉及到如下几个概念:User.Tenant.Role.Token.下面对这几个概念进行简要说明. User:顾名思义就是使用服务的用户,可以是人. ...
- Keystone V3 API Examples
There are few things more useful than a set of examples when starting to work with a new API. Here a ...
- 【openStack】Libcloud 如何支持 keystone V3?
Examples This section includes some examples which show how to use the newly available functionality ...
- OpenStack Keystone v3 API新特性
原连接 http://blog.chinaunix.net/uid-21335514-id-3497996.html keystone的v3 API与v2.0相比有很大的不同,从API的请求格式到re ...
- Openstack Keystone V3 利用 curl 命令获取 token
curl -i \ -H "Content-Type: application/json" \ -d ' { "auth": { "identity& ...
随机推荐
- OpenStack基础组件安装keystone身份认证服务
域名解析 vim /etc/hosts 192.168.245.172 controller01 192.168.245.171 controller02 192.168.245.173 contro ...
- 微信小程序rich-text 文本首行缩进和图片居中
微信小程序开发使用rich-text组件渲染html格式的代码,常常因为不能自定义css导致文本不能缩进,以及图片不能居中等问题,这里可以考虑使用js的replace方法,替换字符串,然后在渲染的同时 ...
- Redis数据类型Set
Redis的SET是无序的String集合,它里面的元素是不会重复的. SADD,SMEMBERS SADD命令会添加新元素到SET,可以看到一次性可以添加一个或多个元素.SMEMBERS可以获取se ...
- DDD - 概述 - 聚合 - 限界上下文 (四)
最重要的一句话 DDD的所有有相关理论中,只有一句是至关重要的,但是也是最容易被忽略和最难做到的,抛弃传统的设计方式(思路)的思想,这句话起了决定性的作用,但是99%的人都忽略了或者在开始无法正视或理 ...
- 关于<服务器>定义
定义: 服务器,也称伺服器,是提供计算服务的设备.由于服务器需要响应服务请求,并进行处理,因此一般来说服务器应具备承担服务并且保障服务的能力. 服务器的构成:包括处理器.硬盘.内存.系统总线等,和 ...
- python购物车-基础版本
# 1. 用户先给自己的账户充钱:比如先充3000元.# 2. 页面显示 序号 + 商品名称 + 商品价格,如:# 1 电脑 1999# 2 鼠标 10# …# n 购物车结算# 3. 用户输入选择的 ...
- php 缓存 加速缓存
PHP四大加速缓存器opcache,apc,xcache,eAccelerator eAccelerator,xcache,opcache,apc(偏数据库缓存,分系统和用户缓存)是PHP缓存扩展, ...
- I - Infinite Improbability Drive
I - Infinite Improbability Drivehttp://codeforces.com/gym/241750/problem/I不断构造,先填n-1个0,然后能放1就放1,最后这个 ...
- django framawork
中文文档: https://q1mi.github.io/Django-REST-framework-documentation/ 神奇的generics from snippets.models i ...
- tp5.0.7 修复getshell漏洞
这里 接手项目用的是 tp5.0.7 突然想到前段事件的tp bug 事件 就试了下 发现确实有这种情况 参考帖子: https://bbs.ichunqiu.com/thread-48687-1-1 ...